We explore the ways that charities can mitigate the risks coming from inside their organisation
Insiders – people who work for your charity – are a huge cyber security risk.
That’s because they can easily access your charity’s computer systems and data while they carry out their jobs. By contrast, cyber criminals have to break in to your network and gain access to your computers before they can get their hands on your data or infect your systems with malware such as ransomware.
An insider with malicious intent can therefore do your charity harm much more easily than a cyber criminal trying to hack your organisation from the outside.
But employees don’t have to have malicious intent to be a cyber security threat. Insiders who are careless, ignorant of security threats, or who try to be helpful – perhaps by lending a colleague a password so that they can access a particular account – can also be the cause of cyber security breaches which can have catastrophic consequences for your charity.
To get an idea of the scale of the insider threat, the Verizon 2021 Data Breach Investigations Report found that insiders are responsible for about 22% of all security incidents.
Of these, about 14% were caused by malicious insiders (which includes disgruntled employees or staff who had recently been made redundant) and 62% were caused by negligent insiders who had acted carelessly.
A quarter of the negligent insiders caused security breaches by allowing their passwords or other security credentials to be guessed or accessed.
There are a number of measures that your charity should take to protect itself from insider threats, and these can be split into two groups: security measures aimed at negligent insiders and security measures designed to protect against malicious insiders.
Training should also teach staff not to click on links or open attachments in unexpected emails, and never to log on to web sites to “reconfirm their account details” by following links from emails.
A quarter of security breaches caused by negligent insiders relate to passwords, so it is essential that staff understand what they should and shouldn’t do with them. In particular, it is important that staff use long passwords which are difficult to guess, and that they never reuse the same password for different accounts.
Since long passwords are difficult to remember, staff should be encouraged to use a password manager to store their passwords rather than resorting to writing their passwords down where they could be found by other staff.
Shadow IT consists of any IT resources that staff use without the knowledge of your charity’s IT department, or which they use without permission. For example, a staff member may decide to bypass your charity’s CRM system and store contact details on a cloud-based service that they like.
Or they may decide to plug in a Wi-Fi access point into the network near their desk so that they can use their phone for work more easily.
The problem with shadow IT is that it often bypasses the security systems that your charity has in place, and even though it may be convenient to use it can pose a severe security risk
Security policies cover things such as whether staff are allowed to take charity data home on USB sticks so that they can work remotely, or whether data that is taken out of your charity offices must be encrypted.
Many insider cyber security breaches are caused by staff who break security policies either unwittingly or because they find them inconvenient without understanding their purpose. For that reason it is important to ensure that your security policies are clear, that they are communicated to staff on a regular basis, and that staff understand why they are in place even if they are inconvenient.
More than 30% of malicious insider attacks are carried out by people with criminal records, according to the USA’s Cybersecurity and Infrastructure Security Agency (CISA). Basic checks carried out by your charity’s recruiters can help you identify prospective employees with a history of fraud or theft.
Many insider attacks are carried out by disgruntled staff with a desire for revenge for some perceived slight such as being overlooked for a pay rise or promotion. Things to look out for include a drop in work performance, arriving late, and temper loss or other inappropriate work conduct.
Even if these changes are not a precursor to an insider attack they warrant attention because they may indicate that the staff member needs help.
Nearly three in five members of staff who lose their jobs take confidential information with them on a USB drive or other storage device, according to the Ponemon Institute. Data leak prevention (DLP) systems restrict the use of portable storage devices and monitor what information is copied on to them, and by whom.
Such systems can be useful in making it harder to copy information maliciously without being detected, but can’t prevent a trusted insider with authority to copy data from doing so maliciously.
Nearly seven in ten insider attacks are carried out by former staff within three weeks of leaving, according to CISA. Many of these attacks are made possible because staff still find they have access to computer systems using their user names and passwords.
Ensuring that their access is removed on the day that they leave the organisation can go a long way towards preventing former staff members from carrying out attacks in this crucial first three weeks.
An exit interview is a meeting with a staff member who is leaving or who has been made redundant, and this provides your charity with an opportunity to remind them that it is illegal to remove any data from your charity.
A friendly exit interview may be enough to make an employee who is thinking of taking data with them when they leave change their mind.